Connected to VPN but no internet

[fengapappit]

⚠️ Unless you are sure you find a bug with the script, please open a discussion instead of an issue!

Checklist

• I read the README
• I read the FAQ
• I searched the issues
• I searched the discussion
• My issue is about the script, and not OpenVPN itself

Pease include as much details as possible in your issue:

• Description of the issue
• How to reproduce the issue
• What did you expected should happen
• Logs
• Server/Client versions (OS, OpenVPN, etc)
• Any context or information that could help

---

Hello,

I installed an OpenVPN server using the script in the hope of having a full tunnel between my home computer and one of my servers.

I can successfully connect to the server using the VPN, but it's impossible to get anything from there.
Seems like an issue with the NAT, especially in the "server back to client" direction.

I cannot find what is wrong in the configuration for the life of me.

My iptables :

$sudo iptables -L -v --line-number
Chain INPUT (policy ACCEPT 6035 packets, 868K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     5155  548K f2b-sshd   tcp  --  any    any     anywhere             anywhere             multiport dports ssh
2     3538  510K ACCEPT     udp  --  eno0   any     anywhere             anywhere             udp dpt:51194
3        4  2360 ACCEPT     all  --  tun0   any     anywhere             anywhere            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     2482  209K ACCEPT     all  --  tun0   eno0    anywhere             anywhere            
2        0     0 ACCEPT     all  --  eno0   tun0    anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 7263 packets, 1106K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain f2b-sshd (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1       16  1280 REJECT     all  --  any    any     128.199.76.195       anywhere             reject-with icmp-port-unreachable
2       18  1448 REJECT     all  --  any    any     150.109.7.77         anywhere             reject-with icmp-port-unreachable
3       13  1060 REJECT     all  --  any    any     222.185.241.130      anywhere             reject-with icmp-port-unreachable
4       23  1832 REJECT     all  --  any    any     server.sna.hsl.mybluehostin.me  anywhere             reject-with icmp-port-unreachable
5        0     0 REJECT     all  --  any    any     103.105.66.97        anywhere             reject-with icmp-port-unreachable
6       10   528 REJECT     all  --  any    any     server.thietkewebvip.com  anywhere             reject-with icmp-port-unreachable
7       21  1676 REJECT     all  --  any    any     194.152.206.103      anywhere             reject-with icmp-port-unreachable
8       12   664 REJECT     all  --  any    any     121.4.68.192         anywhere             reject-with icmp-port-unreachable
9       21  1588 REJECT     all  --  any    any     static.customer-201-116-3-194.uninet-ide.com.mx  anywhere             reject-with icmp-port-unreachable
10      21  1628 REJECT     all  --  any    any     200-91-219-250-host.ifx.net.co  anywhere             reject-with icmp-port-unreachable
11      11   836 REJECT     all  --  any    any     42.42.127.124.broad.bj.bj.static.163data.com.cn  anywhere             reject-with icmp-port-unreachable
12      26  1960 REJECT     all  --  any    any     health-hub.ie        anywhere             reject-with icmp-port-unreachable
13      23  1780 REJECT     all  --  any    any     167.172.181.229      anywhere             reject-with icmp-port-unreachable
14      22  1728 REJECT     all  --  any    any     165.227.193.157      anywhere             reject-with icmp-port-unreachable
15      27  2072 REJECT     all  --  any    any     BSN-77-65-237.static.siol.net  anywhere             reject-with icmp-port-unreachable
16      22  1728 REJECT     all  --  any    any     45.43.57.225         anywhere             reject-with icmp-port-unreachable
17      23  2076 REJECT     all  --  any    any     141.98.10.60         anywhere             reject-with icmp-port-unreachable
18    4067  467K RETURN     all  --  any    any     anywhere             anywhere            
# Warning: iptables-legacy tables present, use iptables-legacy to see them

My sysctl:

$sudo sysctl --system
* Applying /etc/sysctl.d/99-openvpn.conf ...
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
* Applying /etc/sysctl.d/99-sysctl.conf ...
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
* Applying /etc/sysctl.d/disable-IPv6-autoconf.conf ...
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.all.accept_ra_defrtr = 0
net.ipv6.conf.all.accept_ra_pinfo = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
* Applying /etc/sysctl.d/protect-links.conf ...
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
* Applying /etc/sysctl.conf ...
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

My server.conf:

$cat /etc/openvpn/server.conf 
port 51194
proto udp6
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 94.140.14.14"
push "dhcp-option DNS 94.140.15.15"
push "redirect-gateway def1 bypass-dhcp"
server-ipv6 fd42:42:42:42::/112
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_8ZbpYJSKFUEiZ3Zq.crt
key server_8ZbpYJSKFUEiZ3Zq.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3

If you could point me in the right direction, I'd be glad.

[fengapappit]

Ok so it was killing me so I tried on another one of my VPS which runs on CentOS7, instead of the Debian cited previously and it works out of the box.

The non working beast:

$lsb_release -a && uname -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster
Linux greybox 4.9.58-xxxx-std-ipv6-64 #1 SMP Mon Oct 23 11:35:59 CEST 2017 x86_64 GNU/Linux

[joelemanoel]

+1 i use Alma Linux

[peterfarge]

I have the same problem. I can connect the client to the VPN Server but no internet connection through the tunnel. I'm running Debian 10:
Linux gustav 4.19.0 #1 SMP Tue Jun 9 12:58:54 MSK 2020 x86_64 GNU/Linux

If I reinstall a Debian 9 image, the VPN Server delivers a working internet connection to the client.

[Glastis]

Have the exact same problem with Debian 10 and 11, despite it's working on debian 9.

I have ufw along openvpn, but even after I disabled ufw and I ran a iptables -F and then reinstalling the script, the client was still unable to communicate with internet, like if the forwarding wasn't set.

[sahinakkaya]

I can confirm that I have the same issue on Debian 11. I am using default settings and allowed port 1194 using ufw but still no internet after connecting to the server.